feat: POC for allowing TemplateAdmin to delete prebuild workspaces via auth layer

ssncferreira · ssncferreira · commit e05480dcd282 · 2025-06-11T19:14:06.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -412,6 +412,9 @@ var (
 						policy.ActionCreate, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate,
 						policy.ActionWorkspaceStart, policy.ActionWorkspaceStop,
 					},
+					rbac.ResourcePrebuiltWorkspace.Type: {
+						policy.ActionRead, policy.ActionUpdate, policy.ActionDelete,
+					},
 					// Should be able to add the prebuilds system user as a member to any organization that needs prebuilds.
 					rbac.ResourceOrganizationMember.Type: {
 						policy.ActionCreate,
@@ -3909,7 +3912,11 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		action = policy.ActionWorkspaceStop
 	}
 
-	if err = q.authorizeContext(ctx, action, w); err != nil {
+	if action == policy.ActionDelete && w.IsPrebuild() {
+		if err := q.authorizeContext(ctx, action, w.PrebuildRBAC()); err != nil {
+			return xerrors.Errorf("authorize context: %w", err)
+		}
+	} else if err = q.authorizeContext(ctx, action, w); err != nil {
 		return xerrors.Errorf("authorize context: %w", err)
 	}
 
@@ -3927,7 +3934,11 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		// to use a non-active version then we must fail the request.
 		if accessControl.RequireActiveVersion {
 			if arg.TemplateVersionID != t.ActiveVersionID {
-				if err = q.authorizeContext(ctx, policy.ActionUpdate, t); err != nil {
+				if w.IsPrebuild() {
+					if err := q.authorizeContext(ctx, policy.ActionUpdate, w.PrebuildRBAC()); err != nil {
+						return xerrors.Errorf("cannot use non-active version: %w", err)
+					}
+				} else if err = q.authorizeContext(ctx, policy.ActionUpdate, t); err != nil {
 					return xerrors.Errorf("cannot use non-active version: %w", err)
 				}
 			}
@@ -3949,7 +3960,11 @@ func (q *querier) InsertWorkspaceBuildParameters(ctx context.Context, arg databa
 		return err
 	}
 
-	err = q.authorizeContext(ctx, policy.ActionUpdate, workspace)
+	if workspace.IsPrebuild() {
+		err = q.authorizeContext(ctx, policy.ActionUpdate, workspace.PrebuildRBAC())
+	} else {
+		err = q.authorizeContext(ctx, policy.ActionUpdate, workspace)
+	}
 	if err != nil {
 		return err
 	}
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -226,9 +226,26 @@ func (w Workspace) WorkspaceTable() WorkspaceTable {
 }
 
 func (w Workspace) RBACObject() rbac.Object {
+	//if w.IsPrebuild() {
+	//	return w.PrebuildRBAC()
+	//}
 	return w.WorkspaceTable().RBACObject()
 }
 
+func (w Workspace) IsPrebuild() bool {
+	// TODO: avoid import cycle
+	return w.OwnerID == uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0")
+}
+
+func (w Workspace) PrebuildRBAC() rbac.Object {
+	if w.IsPrebuild() {
+		return rbac.ResourcePrebuiltWorkspace.WithID(w.ID).
+			InOrg(w.OrganizationID).
+			WithOwner(w.OwnerID.String())
+	}
+	return w.RBACObject()
+}
+
 func (w WorkspaceTable) RBACObject() rbac.Object {
 	if w.DormantAt.Valid {
 		return w.DormantRBAC()
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
@@ -102,6 +102,13 @@ var RBACPermissions = map[string]PermissionDefinition{
 	"workspace_dormant": {
 		Actions: workspaceActions,
 	},
+	"prebuilt_workspace": {
+		Actions: map[Action]ActionDefinition{
+			ActionRead:   actDef("read prebuilt workspace"),
+			ActionUpdate: actDef("update prebuilt workspace"),
+			ActionDelete: actDef("delete prebuilt workspace"),
+		},
+	},
 	"workspace_proxy": {
 		Actions: map[Action]ActionDefinition{
 			ActionCreate: actDef("create a workspace proxy"),
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -335,8 +335,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			ResourceAssignOrgRole.Type: {policy.ActionRead},
 			ResourceTemplate.Type:      ResourceTemplate.AvailableActions(),
 			// CRUD all files, even those they did not upload.
-			ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
-			ResourceWorkspace.Type: {policy.ActionRead},
+			ResourceFile.Type:              {policy.ActionCreate, policy.ActionRead},
+			ResourceWorkspace.Type:         {policy.ActionRead},
+			ResourcePrebuiltWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			// CRUD to provisioner daemons for now.
 			ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			// Needs to read all organizations since
@@ -493,9 +494,10 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID.String(): Permissions(map[string][]policy.Action{
-						ResourceTemplate.Type:  ResourceTemplate.AvailableActions(),
-						ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
-						ResourceWorkspace.Type: {policy.ActionRead},
+						ResourceTemplate.Type:          ResourceTemplate.AvailableActions(),
+						ResourceFile.Type:              {policy.ActionCreate, policy.ActionRead},
+						ResourceWorkspace.Type:         {policy.ActionRead},
+						ResourcePrebuiltWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						// Assigning template perms requires this permission.
 						ResourceOrganization.Type:       {policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionRead},
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
@@ -404,6 +404,11 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 			ctx,
 			tx,
 			func(action policy.Action, object rbac.Objecter) bool {
+				if object.RBACObject().Type == rbac.ResourceWorkspace.Type && action == policy.ActionDelete {
+					workspaceObj := object.(database.Workspace)
+					prebuild := workspaceObj.PrebuildRBAC()
+					return api.Authorize(r, action, prebuild)
+				}
 				return api.Authorize(r, action, object)
 			},
 			audit.WorkspaceBuildBaggageFromRequest(r),
diff --git a/codersdk/rbacresources_gen.go b/codersdk/rbacresources_gen.go
diff --git a/enterprise/coderd/prebuilds/reconcile_test.go b/enterprise/coderd/prebuilds/reconcile_test.go
@@ -8,6 +8,12 @@ import (
 	"testing"
 	"time"
 
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
+	"github.com/coder/coder/v2/enterprise/coderd/license"
+	"github.com/coder/coder/v2/provisionersdk"
+
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/xerrors"
@@ -420,6 +426,108 @@ func TestPrebuildReconciliation(t *testing.T) {
 	}
 }
 
+func TestTemplateAdminDelete(t *testing.T) {
+	t.Parallel()
+
+	if !dbtestutil.WillUsePostgres() {
+		t.Skip("This test requires postgres")
+	}
+
+	t.Run("template admin delete prebuilds", func(t *testing.T) {
+		t.Parallel()
+
+		clock := quartz.NewMock(t)
+
+		// Setup.
+		ctx := testutil.Context(t, testutil.WaitSuperLong)
+		db, pubsub := dbtestutil.NewDB(t)
+
+		spy := newStoreSpy(db, nil)
+
+		logger := testutil.Logger(t)
+		client, _, api, owner := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				Database: spy,
+				Pubsub:   pubsub,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureExternalProvisionerDaemons: 1,
+				},
+			},
+
+			EntitlementsUpdateInterval: time.Second,
+		})
+
+		orgID := owner.OrganizationID
+
+		provisionerCloser := coderdenttest.NewExternalProvisionerDaemon(t, client, orgID, map[string]string{
+			provisionersdk.TagScope: provisionersdk.ScopeOrganization,
+		})
+		defer provisionerCloser.Close()
+
+		reconciler := prebuilds.NewStoreReconciler(spy, pubsub, codersdk.PrebuildsConfig{}, logger, clock, prometheus.NewRegistry(), newNoopEnqueuer())
+		var claimer agplprebuilds.Claimer = prebuilds.NewEnterpriseClaimer(spy)
+		api.AGPL.PrebuildsClaimer.Store(&claimer)
+
+		version := coderdtest.CreateTemplateVersion(t, client, orgID, templateWithAgentAndPresetsWithPrebuilds(2))
+		_ = coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, orgID, version.ID)
+		presets, err := client.TemplateVersionPresets(ctx, version.ID)
+		require.NoError(t, err)
+		require.Len(t, presets, 1)
+		preset := setupTestDBPreset(t, db, version.ID, 2, "b0rked")
+
+		templateAdminClient, _ := coderdtest.CreateAnotherUser(t, client, orgID, rbac.RoleTemplateAdmin())
+
+		state, err := reconciler.SnapshotState(ctx, spy)
+		require.NoError(t, err)
+		require.Len(t, state.Presets, 2)
+
+		for _, preset := range presets {
+			ps, err := state.FilterByPreset(preset.ID)
+			require.NoError(t, err)
+			require.NotNil(t, ps)
+			actions, err := reconciler.CalculateActions(ctx, *ps)
+			require.NoError(t, err)
+			require.NotNil(t, actions)
+
+			require.NoError(t, reconciler.ReconcilePreset(ctx, *ps))
+		}
+
+		workspace, _ := setupTestDBPrebuild(
+			t,
+			clock,
+			db,
+			pubsub,
+			database.WorkspaceTransitionStart,
+			database.ProvisionerJobStatusSucceeded,
+			orgID,
+			preset,
+			template.ID,
+			version.ID,
+		)
+
+		require.NoError(t, reconciler.ReconcileAll(ctx))
+
+		runningWorkspaces, err := db.GetRunningPrebuiltWorkspaces(ctx)
+		require.NoError(t, err)
+
+		prebuiltWorkspace, err := db.GetWorkspaceByID(ctx, runningWorkspaces[0].ID)
+		require.NoError(t, err)
+
+		build, err := templateAdminClient.CreateWorkspaceBuild(ctx, workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+			Transition: codersdk.WorkspaceTransitionDelete,
+		})
+		require.NoError(t, err, "delete the workspace")
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
+
+		workspaceNew, err := client.DeletedWorkspace(ctx, prebuiltWorkspace.ID)
+		require.NoError(t, err)
+		require.Equal(t, prebuiltWorkspace.ID, workspaceNew.ID)
+	})
+}
+
 // brokenPublisher is used to validate that Publish() calls which always fail do not affect the reconciler's behavior,
 // since the messages published are not essential but merely advisory.
 type brokenPublisher struct {
diff --git a/site/src/api/rbacresourcesGenerated.ts b/site/src/api/rbacresourcesGenerated.ts
@@ -123,6 +123,11 @@ export const RBACResourceActions: Partial<
 		read: "read member",
 		update: "update an organization member",
 	},
+	prebuilt_workspace: {
+		delete: "delete prebuilt workspace",
+		read: "read prebuilt workspace",
+		update: "update prebuilt workspace",
+	},
 	provisioner_daemon: {
 		create: "create a provisioner daemon/key",
 		delete: "delete a provisioner daemon/key",
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
